CVE-2024-23342 – CVE-2024-23342 is a vulnerability in the Python... (How to Fix)

Q: What is the severity of CVE-2024-23342?

CVE-2024-23342 has a CVSS score of 7.4 (HIGH). CVE-2024-23342 is a vulnerability in the Python ecdsa package that allows attackers to perform side-channel timing attacks (Minerva attack) to extract private ECDSA keys. This affects any application using ecdsa versions 0.18.0 and earlier for cryptographic operations. Attackers can potentially recover private keys used for digital signatures or key exchange.

📋 TL;DR

CVE-2024-23342 is a vulnerability in the Python ecdsa package that allows attackers to perform side-channel timing attacks (Minerva attack) to extract private ECDSA keys. This affects any application using ecdsa versions 0.18.0 and earlier for cryptographic operations. Attackers can potentially recover private keys used for digital signatures or key exchange.

💻 Affected Systems

Products:

python-ecdsa package

Versions: 0.18.0 and earlier

Operating Systems: All operating systems running Python

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations using vulnerable ecdsa versions for ECDSA, EdDSA, or ECDH operations are affected. The vulnerability is in the core cryptographic implementation.

📦 What is this software?

Ecdsa by Tlsfuzzer

View all CVEs affecting Ecdsa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of cryptographic keys leading to forged signatures, decrypted communications, and identity impersonation across affected systems.

🟠

Likely Case

Targeted attacks against high-value systems where attackers can measure timing differences in signature operations to gradually extract private keys.

🟢

If Mitigated

Limited impact if systems use hardware security modules, constant-time implementations, or are not exposed to timing measurement attacks.

🌐 Internet-Facing: MEDIUM - Requires precise timing measurements and repeated signature operations, making remote exploitation challenging but possible in controlled conditions.

🏢 Internal Only: MEDIUM - Internal attackers with network access could potentially measure timing differences if they can trigger signature operations.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: HIGH

The Minerva attack is well-documented and requires the ability to measure timing differences across many signature operations. Exploitation requires significant computational resources and precise timing measurements.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None available as of publication

Vendor Advisory: https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp

Restart Required: No

Instructions:

No official patch exists. Monitor the GitHub repository for updates and consider alternative libraries or workarounds.

🔧 Temporary Workarounds

Switch to alternative cryptography library

all

Replace ecdsa with a constant-time implementation like cryptography.io or libsecp256k1 bindings

pip uninstall ecdsa
pip install cryptography

Implement constant-time comparison wrapper

all

Use constant-time comparison functions for cryptographic operations as described in security references

🧯 If You Can't Patch

Isolate systems using vulnerable ecdsa versions from untrusted networks
Implement rate limiting on signature operations to make timing attacks more difficult

🔍 How to Verify

Check if Vulnerable:

Check installed ecdsa version: pip show ecdsa | grep Version

Check Version:

python -c "import ecdsa; print(ecdsa.__version__)"

Verify Fix Applied:

Verify ecdsa is not installed or version is above 0.18.0 when patch becomes available

📡 Detection & Monitoring

Log Indicators:

Unusual patterns of signature generation requests
Repeated signature operations from single sources

Network Indicators:

High volume of cryptographic operation requests with precise timing
Network traffic patterns suggesting timing measurement

SIEM Query:

source=application_logs "signature" OR "ecdsa" | stats count by src_ip, user_agent | where count > threshold

📊 Metadata

CVE ID: CVE-2024-23342

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-203

Published: January 23, 2024

Last Updated: August 26, 2025

🔗 References

https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md Product
https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp Exploit,Vendor Advisory
https://minerva.crocs.fi.muni.cz/ Technical Description
https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/ Technical Description
https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md Product
https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp Exploit,Vendor Advisory
https://minerva.crocs.fi.muni.cz/ Technical Description
https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/ Technical Description

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23342, you might also want to check these: